7.2.3.1 Disabled Container Network
A focused guide to Disabled Container Network, connecting core concepts with practical Docker and container operations.
A disabled container network, achieved through --network none, means the container exists with no functional connectivity to anything beyond its own loopback interface, a deliberate and complete absence of networking rather than merely a restricted or filtered version of it.
Confirming Networking Is Genuinely Disabled
Beyond simply lacking external connectivity, a container with disabled networking has no meaningful network configuration to inspect at all.
docker run -d --network none alpine sleep 1000
docker inspect $(docker ps -lq) --format '{{json .NetworkSettings.Networks}}'
This reveals essentially no useful network configuration, consistent with networking being disabled entirely rather than merely restricted.
Why This Differs From Restrictive Firewall Rules
A container with disabled networking has no network stack to speak of beyond loopback; this is a fundamentally different and stronger guarantee than a container with full networking but restrictive firewall rules, where the underlying capability for connectivity still exists, merely blocked by policy.
docker run -d --network none myapp:1.0
docker run -d --network bridge myapp:1.0
docker exec myapp iptables -A OUTPUT -j DROP
The first approach removes networking capability entirely at the container configuration level; the second relies on in-container firewall rules that could potentially be misconfigured, bypassed, or removed.
Applications That Specifically Cannot Use This Driver
An application expecting to perform any kind of network operation — even something as basic as DNS resolution for an internal lookup — will fail unexpectedly if run with disabled networking, making this driver inappropriate for anything beyond genuinely network-free workloads.
docker run --rm --network none myapp:1.0 some-task-requiring-network.sh
This fails if the task genuinely requires any network access at all.
Why Understanding Disabled Networking Matters
Recognizing that --network none provides a complete, structural absence of networking — not merely a restrictive policy layered on top of normal connectivity — clarifies both its strong isolation guarantee and its narrow applicability to workloads that truly have no networking needs whatsoever.